Alice Averlong🏳️⚧️Can't figure out how to get this damn ghidra extension to work. I have so many versions of ghidra and still, nope.
I JUST WANT TO HACK 32BIT DOS GAMES IS THAT SO WRONG
installing a new JDK and a different version of ghidra and a github actions version instead of a the release version
IT LIVES
so I got the ghidra-lx-loader extension from here (and unzipped it to reveal the zip), then got that version of ghidra (10.2.0), then installed it. seems to work fine
https://github.com/yetmorecode/ghidra-lx-loader/actions/runs/3518280046
https://github.com/yetmorecode/ghidra-lx-loader/actions/runs/3518280046
oh, error strings that specify what function they are, my beloved
oh this is a weird thing I didn't know existed.
you embed an int3 in your code, then a short JMP, and the ASCII characters "WVIDEO".
If the ASCII code is found, it ends up outputting a debug string in the Watcom debugger.
this game is so weird. I'm like 99% sure it saves background you're currently on into the save file.
not, like, an index into which background, but the background ITSELF
not, like, an index into which background, but the background ITSELF
correction: that's now 100%
it definitely does.
which is actually helpful.
I can load the game, move left and right, then save the game.
this'll export the current background to a file
I can load the game, move left and right, then save the game.
this'll export the current background to a file
I'm extracting all the backgrounds from Star Trek: Deep Space Nine: Harbringer.
I still haven't figured out how to attach the right palettes to images.
it's 256-color, and there's 43 palettes here. a bunch of them are similar so I can't just match them manually
it's 256-color, and there's 43 palettes here. a bunch of them are similar so I can't just match them manually
yeah I'm gonna have to automate extracting all these images and then figure out the palette nonsense. there's a bunch of files here. 307 of them, although at least one is a duplicate.
my wizards-apprentice script keeps trying to open my text editor
why
what is there for you in the hex editor, keyboard/mouse macro?
ahh it's because dosbox's "capture mouse" is a toggle. I'm inadvertently un-capturing.
automating a DOS game that requires you to capture the mouse in DOSBox is a fucking nightmare.
You can't tell where the cursor is! you can't consistently move it, either!
You can't tell where the cursor is! you can't consistently move it, either!
and this game is 100% mouse driven. I'm not sure there even ARE any keyboard commands.
maybe I can spy into DOSBox and pull the X/Y coordinates out of the virtual mouse driver?
assuming the virtual driver even has an idea. the game might have put the mouse driver in relative mode, and is doing its own cursor movement nonsense
the worst part is that for greater reliability I'm restarting dosbox for every file.
so I can't even set up a standardized memory location to spy on, since it changes every time I reboot DOSBox
so I can't even set up a standardized memory location to spy on, since it changes every time I reboot DOSBox
someday I'm gonna need to sit down and make my Universal External Debugging Interface.
A tcp/ip protocol for doing things like reading/writing memory and saving/loading savestates and providing input (keyboards, mice, controllers)
then go around and implement it in a bunch of emulators
A tcp/ip protocol for doing things like reading/writing memory and saving/loading savestates and providing input (keyboards, mice, controllers)
then go around and implement it in a bunch of emulators
so you could control an emulator from an external python script, or whatever language you want, so long as the UEDI is implemented
okay so I was able to find x/y cursor positions in RAM pretty easily. the trick is to do that in a way that can be done automatically/reliably.
or maybe I just need to stop restarting DOSbox.
or maybe I just need to stop restarting DOSbox.
I have a devious plan
so the mouse coords seem to consistently be at 2304500 bytes into the memory region where I find them, right? but that region moves around from launch to launch.
but it's also easy to find on the memory regions list:
it's 0x1001000 bytes long, which is a bit more than 16mb.
it's 0x1001000 bytes long, which is a bit more than 16mb.
and guess what my dosbox conf says?
memsize=16 (mb)
memsize=16 (mb)
so my script could launch DOSBox, then enumerate the memory regions allocated, and find the one that's 16mb, and that's the DOS RAM!
okay I confirmed this works manually. I can find the new DOS-RAM section, add 2304500 to it, and I get the x-pos of the cursor.
now to do it automatically.
I was kinda hoping there was an API that let me point at a process and go "hey what memory regions does this have mapped?"
NOPE
I looked up how cheat engine does it.
it's pretty simple.
you start at 0, and call VirtualQueryEx at that address.
it's pretty simple.
you start at 0, and call VirtualQueryEx at that address.
then you increase your pointer by the size of the region you found there, and try again.
so you just call VirtualQuery repeatedly on a ton of memory addresses.
why not
windows is one of the most operating systems in all the world
got it. hacked a bit on this script and now I have a script that takes a PID and tells you the address of the DOS RAM in that process:
https://github.com/nccgroup/memaddressanalysis/blob/master/Windows/memanalysis.py
and I have extracted all 306 distinct backgrounds.
the only problem? I don't have their palettes yet.
or rather, I do have their palettes, but I don't know which palette goes with which background.
the only problem? I don't have their palettes yet.
or rather, I do have their palettes, but I don't know which palette goes with which background.
here they all are, converted with a standardized palette.
most look "decent", but a bunch of clearly wrong.
most look "decent", but a bunch of clearly wrong.
so the game has some kind of "database" format, and it's in the .LST and .ALL files. I spotted it in ghidra, but I haven't tried to decode it yet.
the CB and CCS databases seem to reference palettes (or at least backgrounds), so one of them must be the datafile I'm looking for.
the CB and CCS databases seem to reference palettes (or at least backgrounds), so one of them must be the datafile I'm looking for.
OH NO
I just realized my computer crashed earlier and I had ghidra open. I may have lost all my reverse engineering work ;_;
ahh, nope. it's at least partially here. cool.
they compiled it with some version of Watcom C from 1994. I should find that version and figure out how it encodes FILE* because I can't really tell what's custom code and what's statically linked stdio.h code
CCS I think is for scripts.
oh god I do not want to decode the scripting language this thing uses. it has a big interpreter here and it's huge
Rairii@foone at least it's not an OBFUSCATED custom VM!
@Rairii IT'S X86 MACHINE CODE, OBFUSCATED IS THE ONLY WAY THEY MAKE 'EM
(((Jann Gobble)))🏳️🌈@foone Sounds like you've already made your decision, eh? 😂
okay it's got a function that tries to find... three greys.
instead of putting them at standard positions in the palette, every time it loads a palette, it goes through all the palette entries and finds the color that's closest to that shade of grey.
The three shades are: black, rgb(161,161,161), and white.
huh.
instead of putting them at standard positions in the palette, every time it loads a palette, it goes through all the palette entries and finds the color that's closest to that shade of grey.
The three shades are: black, rgb(161,161,161), and white.
huh.
I found the font renderer.
I wasn't even looking for one! this isn't a death generator thing!
but you can't stop Foone from Fooning
it calls malloc for every character it draws?
huh.
correction:
twice.
twice.
Inari 
@foone the hell
uhh.
I don't see any free()
Dennis@foone interesting way to prevent use-after-free 😜
phnx, abandoned account
nil 
@foone uhoh
I mean it's only allocating like, 24 bytes per character?
and this game has VERY little text.
but still.
you know you've been reversing too long when you have functions named stack_fuckery, more_stack_fuckery, and StackFucker9000
I should have kept my mouth shut, as StackFucker2TheReturn and StackFucker3ThisTimeItsPersonal just showed up
and it looks like this game had a bunch of functions that only existed to do various things that have been defined out, so the machine code is full of these pointless functions that do fuck-all
StackFucker4BeyondThePortalOfTime
StackFuckerOrigins
StackFuckerForever
StackFuckerOrigins
StackFuckerForever
several of these are not even called from anywhere.
probably because they were originally only called from functions that no longer have any contents, thanks to a define.
probably because they were originally only called from functions that no longer have any contents, thanks to a define.
this code appears to be strlen but it seems to count backwards from -1 and then inverts it at the end?
the fuck?
Biason::Julio::new();@foone I was about to type something like "I bet it is some kind of optimization for some weird architecture", but the more I read this code, the less it makes sense...
@foone Also... the thing is destroying the NUL terminator in the original string, which is also weird.
Adrian O’Connor@foone that is truly cursed. Could it be some attempt at obfuscation, trying to hide the code that deals with anti-piracy or something like that? Or is it just weird compilers being weird?
Markus F. Frisch@foone If my very rusty C doesn't let me down - the ~operator flips all bits, so a negative number becomes the positive counterpart but with an offset of 1 ...
Looks fun - where did you find that?
Looks fun - where did you find that?
@mff I'm decompiling Star Trek: Deep Space Nine: Harbringer
Bruce Preston@foone Presumably jump-if-zero is faster than an equality test to some other value and then jump-if-equal? But then why not start count at 1, increment rather than decrement it, and just return (count - 2) with no inversion?
@foone Is this some deranged magic to avoid setting the carry flag?
this is weird. the "Load_Dialogues" function tries to load .ccb files.
but there are no CCB files on the retail disc. Did... did they forget to include the dialogue files? IS THIS WHY THE GAME HAS NO SUBTITLES?
huh.
so the game has no "new_game" function.
instead, if you select "new game", it loads a special savegame named "new.can"
so the game has no "new_game" function.
instead, if you select "new game", it loads a special savegame named "new.can"
Martok@foone Unconventional choice of 16-bit lengths (wait, is this 16 bit?), but otherwise I'd guess this is the equivalent of
for (unsigned int count=0; count<0xffff; count++) {
if (param_1[count] == '\0') break;
}
return count;
Except with the compiler changing array index to moving pointer and inverting the loop because testing for 0 is faster than equality. Used to be a pretty normal thing Borland compilers do, IIRC?
And yeah, 2's complement at the end is just a faster imul -1.
nick@foone strlen but it always returns even if there's no terminator found.
The All-Knowing Cheese AI@foone I think thats a direct translation of an x86 instruction to C code, that has basically that exact behaviour, REPNE SCASB I think
@cheese3660 oh my god you're right. that's what the deal is!
thanks.
thanks.
Hayley Question-Mark@foone StackFuckerInc?
Rather Not@foone some kind of obfuscation?
Palmer Dabbelt@foone that actually sounds like a super clever way to get users to stop filing bugs complaining the compiler was deleting their functions
Chartreuse@foone Compilers will do that since it cannot know at compile time whether the function will be linked to externally. It could optimize out the call at the callers side but removing the function entirely would be on the linker (and normally would need a flag to remove unused symbols)
Carl Tessier@ChartreuseK @foone Yep. However, marking it ‘static’ guarantees that it's not called elsewhere and then it does get deleted. (It also makes it more likely to get inlined.)
BBQDeveloper 
🔞 
@foone games can have a little memory leakage, as a treat
PCLMULQDQ@foone how the fuck did this game run in DOS? You'd think they'd show a little more care in such a restricted environment
Ozzelot@foone Foone gonna Foone
Brandon Hockle@foone oh it’s a 90s magic eye! I think I see a floating unicorn.